61 matches found
OpenClaw: Zalo replay dedupe cache could suppress events across authenticated webhook targets
Summary Before OpenClaw 2026.3.31, the Zalo webhook replay-dedupe cache was shared across authenticated webhook targets and keyed too broadly. In multi-account deployments, a replay seen on one account could suppress a legitimate event on another account if eventname and messageid matched. Impact...
GHSA-FQRJ-M88P-QF3V OpenClaw: Zalo replay dedupe cache could suppress events across authenticated webhook targets
Summary Before OpenClaw 2026.3.31, the Zalo webhook replay-dedupe cache was shared across authenticated webhook targets and keyed too broadly. In multi-account deployments, a replay seen on one account could suppress a legitimate event on another account if eventname and messageid matched. Impact...
CVE-2026-32053
OpenClaw versions prior to 2026.2.23 contain a vulnerability in Twilio webhook event deduplication where normalized event IDs are randomized per parse, allowing replay events to bypass manager dedupe checks. Attackers can replay Twilio webhook events to trigger duplicate or stale call-state...
GHSA-3R78-RQG8-95GG Duplicate Advisory: OpenClaw's voice-call Twilio webhook replay could bypass manager dedupe because normalized event IDs were randomized per parse
Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-vqx8-9xxw-f2m7. This link is maintained to preserve external references. Original Description OpenClaw versions prior to 2026.2.23 contain a vulnerability in Twilio webhook event deduplication where normalized...
CVE-2026-32053 OpenClaw < 2026.2.23 - Twilio Webhook Replay Bypass via Randomized Event ID Normalization
OpenClaw versions prior to 2026.2.23 contain a vulnerability in Twilio webhook event deduplication where normalized event IDs are randomized per parse, allowing replay events to bypass manager dedupe checks. Attackers can replay Twilio webhook events to trigger duplicate or stale call-state...
CVE-2026-32053 OpenClaw < 2026.2.23 - Twilio Webhook Replay Bypass via Randomized Event ID Normalization
OpenClaw versions prior to 2026.2.23 contain a vulnerability in Twilio webhook event deduplication where normalized event IDs are randomized per parse, allowing replay events to bypass manager dedupe checks. Attackers can replay Twilio webhook events to trigger duplicate or stale call-state...
CVE-2026-32053 OpenClaw < 2026.2.23 - Twilio Webhook Replay Bypass via Randomized Event ID Normalization
OpenClaw versions prior to 2026.2.23 contain a vulnerability in Twilio webhook event deduplication where normalized event IDs are randomized per parse, allowing replay events to bypass manager dedupe checks. Attackers can replay Twilio webhook events to trigger duplicate or stale call-state...
CVE-2026-32053
CVE-2026-32053 affects OpenClaw versions prior to 2026.2.23. The root cause is a flaw in Twilio webhook event deduplication, where normalized event IDs are randomized per parse, allowing replayed webhook events to bypass dedupe checks. This can cause duplicate or stale call-state transitions, lea...
OpenClaw's Nextcloud Talk webhook replay could trigger duplicate inbound processing
Summary When Nextcloud Talk webhook signing was valid, replayed requests could be accepted without durable replay suppression, allowing duplicate inbound processing after replay-window expiry or process restart. Details OpenClaw's Nextcloud Talk webhook path verified HMACsecret, random + body but...
GHSA-R9Q5-C7QC-P26W OpenClaw's Nextcloud Talk webhook replay could trigger duplicate inbound processing
Summary When Nextcloud Talk webhook signing was valid, replayed requests could be accepted without durable replay suppression, allowing duplicate inbound processing after replay-window expiry or process restart. Details OpenClaw's Nextcloud Talk webhook path verified HMACsecret, random + body but...
OpenClaw's voice-call Twilio replay dedupe now bound to authenticated webhook identity
Summary The voice-call Twilio webhook path accepted replay/dedupe identity from unsigned request metadata i-twilio-idempotency-token, enabling replayed signed requests to bypass replay detection and manager dedupe by mutating only that header. Affected Packages / Versions - Package: openclaw npm ...
GHSA-GCJ7-R3HG-M7W6 OpenClaw's voice-call Twilio replay dedupe now bound to authenticated webhook identity
Summary The voice-call Twilio webhook path accepted replay/dedupe identity from unsigned request metadata i-twilio-idempotency-token, enabling replayed signed requests to bypass replay detection and manager dedupe by mutating only that header. Affected Packages / Versions - Package: openclaw npm ...
OpenClaw's voice-call Twilio webhook replay could bypass manager dedupe because normalized event IDs were randomized per parse
Impact Twilio webhook replay events could bypass voice-call manager dedupe because normalized event IDs were randomized per parse. A replayed event could be treated as new and trigger duplicate or stale call-state transitions. Affected Packages / Versions - Package: openclaw npm - Vulnerable...
GHSA-VQX8-9XXW-F2M7 OpenClaw's voice-call Twilio webhook replay could bypass manager dedupe because normalized event IDs were randomized per parse
Impact Twilio webhook replay events could bypass voice-call manager dedupe because normalized event IDs were randomized per parse. A replayed event could be treated as new and trigger duplicate or stale call-state transitions. Affected Packages / Versions - Package: openclaw npm - Vulnerable...
PT-2026-26224
Summary When Nextcloud Talk webhook signing was valid, replayed requests could be accepted without durable replay suppression, allowing duplicate inbound processing after replay-window expiry or process restart. Details OpenClaw's Nextcloud Talk webhook path verified HMACsecret, random + body but...
Unity Linux 20.1050e / 20.1060e / 20.1070e Security Update: kernel (UTSA-2026-000925)
The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-000925 advisory. Race condition in the ioctlfilededuperange function in fs/ioctl.c in the Linux kernel through 4.7 allows local users to cause a denial of service heap-based buffer...
Unity Linux 20.1060a / 20.1070a Security Update: kernel (UTSA-2026-002926)
The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-002926 advisory. Race condition in the ioctlfilededuperange function in fs/ioctl.c in the Linux kernel through 4.7 allows local users to cause a denial of service heap-based buffer...
CVE-2024-39897
zot is an OCI image registry. Prior to 2.1.0, the cache driver GetBlob allows read access to any blob without access control check. If a Zot accessControl policy allows users read access to some repositories but restricts read access to other repositories and dedupe is enabled it is enabled by...
EUVD-2024-2258
Malicious code in bioql PyPI...
Malicious code in dedupe-chunks-webpack-plugin (npm)
The package dedupe-chunks-webpack-plugin was found to contain malicious code...